In today's connected society, computer malware is a continuing, and increasing, problem. Such malware includes, but is not limited to, computer viruses, trojans, botnets, spyware, and the like. Such malware can create problems not only for the user of an infected computer, but also for other users on the same network and/or across the Internet. Merely by way of example, a computer infected with malware might (or might not) suffer performance issues (e.g., as the malware consumes resources on the infected computer), but such an infected computer can also infect other computers and/or participate in a larger botnet (e.g., as part of a phishing scam, distributed denial of service attack, etc.). In fact, the malware issue has become sufficiently acute that many Internet service providers (“ISP”) attempt, either voluntarily, as part of industry agreements and/or standards, and/or in response to government requests/regulations, to diagnose infected subscribers and assist subscribers in treating such infections (i.e., removing the malware from the infected computer).
A typical subscriber (also referred to herein as a customer), however, operates a premise network at the subscriber's premises, whether the premises is a home or business. In many cases, a gateway (described herein as a “premise gateway” or “PG”) serves to provide communication between the premise network and the ISP network that provides Internet access for the subscriber. A typical premise gateway is a residential gateway (“RG”), which is disposed at a customer's residence; premise gateways with similar (and/or more robust) functionality might be located in multi-tenant dwellings and/or businesses, in order to provide connectivity for those types of customers. Such gateways (which can be implemented as broadband modems, wireless routers, and the like, often in various combinations) can serve as routers, and in that role, many such gateways provide address translation services for devices (e.g., personal computers, wireless phones, handheld computers, tablet computers, video game consoles, etc.) that are connected to the premise network.
Address translation services, which include but are not limited to Network Address and Port Translation (“NAPT”), provide a valuable function, in that they allow multiple devices on the premise network to send and receive data over the ISP network, without requiring the ISP to allocate a separate IP address for each device. (One skilled in the art should appreciate that a variety of techniques, such as network address translation, (“NAT”), port address translation (“PAT”), IP masquerading, NAT Overload, and many-to-one NAT, can be used to obfuscate a device's actual IP address, for a variety of reasons. Such techniques are generically referred to herein as “NAPT.”) Instead, the address translation service in the gateway provides the gateway's own IP address and/or a particular port as the source of outgoing packets, and receives packets for all the devices on the premise network using its own IP address and/or a specific port as the destination address/port, thereafter re-addressing the packets to be distributed within the premise network to each device as appropriate. In addition, the gateways can provide firewall capabilities, blocking some or all access devices behind the gateway. Gateway firewalls can operate in conjunction with or independently from NAPT functionality.
Such services, while conserving scarce network resources, such as IP addresses, create problems for ISPs attempting to diagnose malware infections. For instance, even if an ISP is able to determine that one of its subscribers is using a device with a malware infection, the ISP typically will not be able to determine which device (or devices) on the subscriber's premise network is/are actually infected, because packets traveling over the ISP network from the subscriber's devices all appear as if they originated from the subscriber's gateway, rather than individual devices. Thus, the best an ISP typically can do is to inform a subscriber that there appears to be an infected device on the subscriber's premise network, but the ISP is unable to provide any detailed identification of which of the subscriber's devices are infected. Moreover, subscribers often grow frustrated with such generic information and are unlikely to invest the time or effort necessary to first determine which device or devices may be infected, and second treat infection(s) on such device(s). Hence, despite the best efforts of the ISP, the subscriber's device(s) continue to be infected with malware, and the problem continues to grow.
In light of this situation, one easily can ascertain a need for more robust solutions for detecting and/or treating malware infections on subscriber devices.